Cisco Threat Response v1.21 - Instant Demo: About This Demonstration

Instant Demo Guide
Cisco dCloud
Cisco Threat Response v1.21 – Instant Demo
Last Updated: 12-March-2020
About This Demonstration

This guide for the preconfigured demonstration includes:
About This Demonstration
Requirements
About This Solution
For More Information
Get Started
Using the Browser Plugin from a Talos blog article
Explore Incident Manager
What’s Next?
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 56
Instant Demo Guide
Cisco dCloud
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
Laptop with Cisco AnyConnect® None
Google Chrome or Firefox browser
dCloud access and account
About This Solution

Cisco Threat Response automates integrations across select Cisco Security products and accelerates key security operations
functions: detection, investigation, and remediation. It is a key pillar of our integrated security architecture. Cisco Threat Response
dramatically cuts the time and manual effort required to investigate and remediate cybersecurity incidents. It adds value to your
existing Cisco security products like Umbrella ®, AMP for Endpoints®, Firepower®, and Threat Grid® by delivering quick, confident,
consistent answers when time matters most. Cisco and third-party security products are added into Threat Response as Modules.
The two scenarios in this demo can be presented separately, or together in either order. If you decide to delve into response actions
in the first scenario, you can in the second one concentrate on the entry point feature, details of the browser plug-in, or the Incident
Manager. Both scenarios use investigative and response functions in the Investigate UI.
For More Information

Learn more at www.cisco.com/go/threatresponse.
Instant Demo Guide
Cisco dCloud
Get Started
IMPORTANT NOTE: Because you need to log in to AMP to run the demonstration in the CTR ID, you will open Cisco Threat
Response v1.2 - AMP for Endpoints - Instant Demo as described in Step 5 below. This gets you to a Cisco Security Account from
where you can run the demo (Step 6).
Follow the steps to prepare and configure your presentation environment.
1. Use Chrome or Firefox to log in to dCloud.
2. Click Catalog and select Instant Demo from the side bar. This lists all the dCloud Instant Demos.
3. In the Search of Filter field, enter Cisco Threat Response v1.2.
4. Five demonstrations display:
 Cisco Threat Response v1.2 - AMP for Endpoints - Instant Demo
 Cisco Threat Response v1.2 - Instant Demo
 Cisco Threat Response v1.2 - Email Security - Instant Demo
 Cisco Threat Response v1.2 - Threat Grid - Instant Demo
 Cisco Threat Response v1.2 - Umbrella - Instant Demo
5. Click the View button for Cisco Threat Response v1.2 - AMP for Endpoints - Instant Demo.
Instant Demo Guide
Cisco dCloud
NOTE: This action logs you into a Cisco Security Account. After the next step this tab is no longer required; however you can use it
to demo AMP if you like.
6. When logged into AMP, click the View button for Cisco Threat Response v1.2 - Instant Demo.
Instant Demo Guide
Cisco dCloud
7. In the Threat Response window, select Log in with Cisco Security.
Optional: You can show how those products (for which there are other Instant Demos) integrate with Threat Response,
including the effects of taking response actions in Threat Response, such as a file hash added to an AMP SCDL; activating
isolation on an AMP endpoint; or a domain added to the Umbrella block list. Instructions for demonstrating those features
in the integrated products themselves (as opposed to or within Threat Response) are outside the scope of this document.
NOTE: Please note that you are operating a lived, shared system. If you expect a target or observable’s pivot menu to include
response actions such as block, add, or isolate and upon pivoting the options are unblock, remove, and de-isolate—this
means that another investigator has issued those commands to put the system in that state. Feel free to continue to show
the API by using available actions and explaining to your audience. Alternatively, you can run through the demo
immediately or shortly ahead of your demo time and un-block, un-isolate… all the items to prepare the demo session.
Instant Demo Guide
Cisco dCloud
Using the Browser Plugin from a Talos blog article
This demo showcases an investigation that also leverages the Threat Response browser plug-in--a valuable tool that integrates all
the capabilities of Threat Response into the browser for use with any browser content. This scenario walks the user through a
simple threat hunt, an investigation, and quick first-strike response actions, as performed by Security Operations teams daily. No
competitor provides the same level of visibility, speed, and out-of-the-box integration that Cisco’s integrated architecture does.
This scenario presents the browser plug-in and tasks you can accomplish using third-party or external threat intelligence, from any
source, with Threat Response.
Introduction
This demo guide for Threat Response is meant to show the power of the Cisco Security integrated architecture. Based on a real-
world scenario of DNSpionage, this demo allows sellers to experience and show prospects and customers how Security Operations
Center personnel can conduct a security investigation using our architecture.
The demo highlights the integration of the Cisco Security portfolio using the following:
 Cisco Threat Response APIs
 Cisco Firepower
 Cisco AMP for Endpoints
 Cisco Umbrella
 Cisco Email Security
 Cisco Threat Grid
 Cisco Stealthwatch
 Cisco Web Security
Value Proposition: Although this demo leverages all these products, customers only need one to get started with Threat Response
at no cost. The more products they own, the faster they can conduct investigations with Threat Response. Threat Response also
offers open APIs, so that customers can fully leverage Threat Response in their environment. For more resources, check out our
website and SalesConnect page.
Instant Demo Guide
Cisco dCloud
Abstract of DNSpionage
In November 2018, Cisco Talos discovered an attack campaign, DNSpionage, in which threat actors created a new remote
administrative tool that supports HTTP and DNS communication with the attackers' command and control (C2). Since then, there
have been several other public reports of additional DNSpionage attacks, and in January, the U.S. Department of Homeland
Security issued an alert, warning users about this threat activity.
In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the
DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February,
we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance
phase that selectively chooses which targets to infect with malware. In April 2019, Cisco Talos also discovered the actors using a
new malware, which we are calling "Karkoff". You can check out the Talos Threat Spotlight for Karkoff.
Instant Demo Guide
Cisco dCloud
Preparation
 Review the Firepower FAQs and become familiar with our recently released Firepower integration.
 Tailor the demo to your style of presentation.
 Reach out with your feedback and/or questions: threat-response-pm@cisco.com.
 Learn about the capabilities of the browser extension by checking out the blog post authored by Ben Greenbaum
Setup – Browser Plug-In
If your browser already has the plug-in installed, you will need to obtain the API credentials from the dCloud environment and swap
them in. Your credentials will not work in the demo story and will significantly impact the quality and flow of the demo experience.
We recommend using a dedicated browser profile for demonstrations. This enables you to save the dCloud plug-in credentials and
your own credentials separately. You can switch to your instant demo profile at any time, rather than configuring and reconfiguring
the plug-in.
If you have already installed the browser plug-in in the browser profile in which you will run the demo using the dCloud account
credentials, you may move directly to the steps below.
Instant Demo Guide
Cisco dCloud
Get API keys from Threat Response
1. To access the Threat Response v1.2 demo, click the View button for Cisco Threat Response v1.2 - AMP for Endpoints - Instant
Demo, and then click the View button for Cisco Threat Response v1.2 - Instant Demo.
Instant Demo Guide
Cisco dCloud
2. When you are logged into Cisco Threat Response, browse to Settings > API Clients > Add API Credentials.
Instant Demo Guide
Cisco dCloud
3. Generate a set of API credentials with all scopes and select Add New Client.
o Use your Cisco internal ID or CCO ID as the start of the Client name.
4. Save your client ID and password.
Instant Demo Guide
Cisco dCloud
Install Extension
5. Install extensions, depending on your browser of choice.

For installation guidance, watch the video at cs.co/ctr_plugins_video.
6. Download the CTR Extension:
o Chrome: cs.co/ctr4chrome
o Firefox: cs.co/ctr-4-firefox
7. Configure the Browser Plug-in for NAM region using the credentials you generated in dCloud.
Instant Demo Guide
Cisco dCloud
8. Click the Cisco Threat Response bowser tab.
9. We will start an investigation for Karkoff using the browser extension. Browse to the Talos Blog post at
https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html.
Instant Demo Guide
Cisco dCloud
10. When the Talos page has loaded, click the CTR extension.
11. When the extension launches, select the extension button that tells the extension to Find observables in page.
12. Discuss the results of the APIs inspecting the threat intelligence presented in the blog.
The extension used the Threat Response APIs to do two things here that we can see so far:
 Extract the observables from the raw, unformatted text in the web page.
 Look up each of those observables to retrieve the disposition or reputation of the item:
Clean, Malicious, Suspicious, or Unknown.
Instant Demo Guide
Cisco dCloud
13. Click the pivots for the domains and the file hashes.
Value Proposition: The extension has also performed a third task already – it has queried Threat Response APIs to find out what
actions are available for each of the observables, based on the observable type and the configured modules.
14. Explain the Response API that allows the SOC to respond right here without having to change to another interface.
 Domain Block: (click on the pivot arrow next to any domain)
Instant Demo Guide
Cisco dCloud
 File block: (click on the pivot arrow next to any file hash)
NOTE: Because this is a shared environment, another investigator may have issued block commands and left the system in that
state. Clarify this for customers if necessary.
15. Click the Malicious and Unknown label-buttons at the top of the widget to select all items matching those verdicts, and then
click the Investigate button.
Instant Demo Guide
Cisco dCloud
NOTE: Click Investigate to launch an investigation in the Threat Response interface.
16. Explain the investigate UI to the audience. Your investigation will likely yield targets. In the example screenshot, three targets
are found. Your results may vary, and that is expected. A graph node with a blue magnifying glass indicates that it is an
investigated observable. A node on the graph without a blue magnifying glass is a sighting that has been found by the
configured modules as part of the enrichment process.
Value Proposition: These targets are being reported by multiple Cisco technologies that we have deployed in our environment.
This is the power of seeing data from the integrated architecture in a single console.
Instant Demo Guide
Cisco dCloud
17. Examining the target summary, we see a mix of network and endpoint targets. Highlight the details of one or two example
targets.
Value Proposition: This target sighting was provided by the Umbrella module, specifically from the Umbrella Reporting Most
Recent Requests API.
Instant Demo Guide
Cisco dCloud
Click the target to reveal more information; the private IP address (192.168.249.111) and the external IP address (64.100.2.10).
Value Proposition: This target sighting was provided by the Firepower module.
Value Proposition: This target sighting was provided by the AMP for Endpoints module.
Instant Demo Guide
Cisco dCloud
18. In the Summary toolbar, click Modules to show the number and type of modules that responded with additional details.
Instant Demo Guide
Cisco dCloud
19. Review the indicators and explain that IPS alerts and Stealthwatch are now represented as indicated.
Value Proposition: In this example, indicators are from Threat Grid, Firepower, Stealthwatch, and potentially other sources.
INDICATOR-COMPROMISE DNSpionage Karkoff C2 is the message of the IPS signature that triggered – this was transmitted by
Firepower.
Instant Demo Guide
Cisco dCloud
20. Scroll down to the relation graph and click Simplify.
21. Focus on the section with IPs, hashes and domains being connected. You can move uncorrelated information to the side on the
graph if necessary. Explain that this is the cluster of observables that have been seen in the user’s environment, via one or more
of their configured Cisco security technologies.
Instant Demo Guide
Cisco dCloud
21. Hover your mouse over the various observables to reveal the nature of the relationships.
22. Find the mx-pool48.kronicstudios.com domain in the graph and add it to the investigation.
Instant Demo Guide
Cisco dCloud
Value Proposition: This the domain that resolved to the investigated observable 108.62.141.247 at the time of incident promotion
(reverse DNS). By adding this domain to the investigation, the SOC is able to search if there were any communications to this
domain that may have bypassed the IPS signature. Since an IPS signature is specific to a pattern of traffic and if the traffic does not
match exactly, the signature would be bypassed. This step looks for domain lookups without signature context that could be helpful
in the course of investigations. Now that we have added it to the investigation, if there are hosts in the environment that have
reached out to the domain, the target count would increase. In this case, an additional sighting from a thermostat possibly
beaconing out for the domain.
Instant Demo Guide
Cisco dCloud
23. Review the results of adding this domain to the investigation: There should be a new target, with a name that indicates that it
is a thermostat. Point out that Umbrella can protect from, and report on, threats that affect any DNS-capable device,
regardless of OS or loaded software.
24. Discuss the actions available to the SOC based on the configured modules. The Umbrella “Enforcement” API is used to block
the domain from within Threat Response, without even having to pivot to the Umbrella UI.
NOTE: Because this is a shared environment, another investigator may have issued block/unblock commands and left the system in
that state. Make this clear to customers, as appropriate.
Instant Demo Guide
Cisco dCloud
25. Review the relationships and see that AMP for Endpoints has reported on a file hash that has communicated to the IP address
being investigated.
26. Add this hash to the investigation: (8ec4b6188a91ad6828e883ed3be9fa5f461d38fcf896f4641833965d1b8b968b)
27. Review the results of adding the file to the investigation.
Instant Demo Guide
Cisco dCloud
In the example screenshot above, we see that the file was seen attached to two emails, each of which went to the same three
recipients. We see the sender, subject line, filename, and other email information. We see that one of the recipients is alexa@bce-
demo.net. We also see that the file was observed on the Alexa-Win10 endpoint, in a subfolder of the alexa user’s home directory.
(Also, remember that you can move node icons around in the graph to help you visualize.)
Value Proposition: Adding the hash should yield sightings from the Email Security module showing, among other details, the
email address/es targeted. As well, it should show sightings from the Web Security modules, including the URL(s) from which it was
downloaded. Both these sightings include additional useful information, as well.
Instant Demo Guide
Cisco dCloud
Value Proposition: From the email information we received from our SMA email module, we see that the Alexa-Win10 device has
the suspicious file on it, has made connections to attacker infrastructure, and that the Alexa user was the recipient of one of the
spear phishing emails that had the file as the attachment. We can take action to prevent our adversaries from leveraging their
foothold on the Alexa machine, right now. Endpoint isolation is a powerful feature that allows SecOps teams to control threats.
28. Select the ALEXA-WIN10 Target in the Target Summary Bar to highlight it in the Relations Graph, and then in the details box
at top left pivot on the AMP Computer GUID.
Instant Demo Guide
Cisco dCloud
29. Click Start Isolation for ALEXA-WIN10 from the network as a response action.
30. With the risks of a compromised endpoint mitigated, we can turn back to our ongoing investigation. In the Target Summary
Bar, point out a new target. Notice this Target is from a different subnet for our remote VPN Anyconnect users.
Instant Demo Guide
Cisco dCloud
31. To get a better view of the relationships, it might be necessary to clean up the relations graph. Select the Types menu, deselect
the options shown below, and set the Mode to Simplified.
32. Click Modules to reveal there is more than one Web Security Appliance sighting for the “8ec4b6188…” sha256.
Both 192.168.249.113 and the remote user 172.31.67.11 have both downloaded this file from google drive using a URL of
“…googleusercontent.com:443/”
Instant Demo Guide
Cisco dCloud
33. Optional: Add “googleusercontent.com” in the investigation as an observable. This will yield additional Web Security
Appliance sightings of malicious file downloads from google drive.
Value Proposition: WSA offers unmatched, granular, visibility into web traffic. Using WCCP redirection from ASA even remote
users’ web traffic is decrypted. WSA offers complete visibility into the payloads of encrypted file downloads and the full URLs of
HTTP get requests from the user’s browser. Without WSA, HTTPS file transfers would bypass a firewall nor would we have seen the
specific URL users in my environment are using share files.
Instant Demo Guide
Cisco dCloud
SWE Pivot: Optional

The following steps are part of the optional workflow to demonstrate the SWE pivot which enables the user to launch the SMC
interface directly from within Threat Response, provided their on-premises SMC appliance is reachable from their location/they are
connected via VPN. This section will bring value to SWE customers or potential customers.
34. To show the Stealthwatch Enterprise pivot, go back to the Targets menu in the upper right of the metrics bar and highlight the
Target Endpoint with IP 192.168.249.166. Click to highlight it in the graph, and see that it has connected to the known bad IP
address 108.62.141.247, and 0ffice36o.com.
35. From the pivot menu on the IP address, select Host Report under the Stealthwatch Enterprise subheading. Show all the
information that is available in the SWE interface. To log into the SMC, use the username “demoanalyst” and the password
“C1sco12345”.
36. Focus on the Alarms by Type section and notice that this IP has generated multiple events including the event
‘Data_Hoarding.’ Click on the ‘Data_Hoarding’ section of the chart.
37. The Alarm Table will now load, notice the alarms are occurring on the host 192.168.249.101 which is recognized as a target in
CTR.
Instant Demo Guide
Cisco dCloud
38. Click the ellipses (…) under Actions for one of the alarms, and then choose View Flows to show the Flows table.
The flow table will show FTP being used to pull data from 192.168.248.101 which contains sensitive data.
39. Click the ellipse next to the IP 192.168.249.166 and load the CTR widget.
40. Click Investigate this IP Address.
41. [OPTIONAL] This will load a new investigation focused on the .166 IP, where we can see that it has been busy. Click Indicators,
either in the top metrics bar or in the Observables panel at the bottom. Note the Data Hoarding Indicator from Stealthwatch,
as well as the DNSpionage Karkoff C2 indicator from Firepower.
Value Proposition: SWE offers advanced network analytics and anomaly detection based on applying machine learning models to
observed Netflow data. This pivot into the on-prem interface offers immediate deep dive capabilities at the click of a button. The
pivots in the SWE interface offer the SWE user immediate enrichment via all the combined abilities of the Threat Response toolset.
Instant Demo Guide
Cisco dCloud
42. Continue to explore the Graph - highlight the additional details around the file name, additional malicious IPs that the file
connected to, the email subject, the email sender etc.
Summary
Wrap up by sharing some key takeaways from the demo. With Threat Response and the integrated Cisco Security portfolio,
investigators can rapidly:
 Answer questions faster about observables.
 Block and unblock domains and file executions from Cisco Threat Response.
 Hunt for an observable associated with a known actor and immediately see organizational impact.
 Save a point in time snapshot of our investigations for further analysis.
 Document our analysis in a cloud casebook from all integrated or web-accessible tools, via an API.
 Integrate Cisco Threat Response easily into existing processes and custom tools.
Value Proposition: Make sure to remind the audience that while this exercise started in a TALOS blog, the browser contents could
have been anything, included even the browser-accessible User Interfaces of unintegrated or competing SIEM, SOAR, or security
products.
Instant Demo Guide
Cisco dCloud
Explore Incident Manager
This demo showcases an investigation that starts in the new Incident Manager--a valuable tool that decreases triage time by
funneling the highest priority incidents into an easily-investigated queue. This scenario walks the user through an incident alert, an
investigation, and quick first-strike response actions, as performed by Security Operations teams on a daily basis.
This scenario presents the new Incident Manager features in Threat Response and shows some of the major tasks you can perform
from that interface.
Introduction
In this demonstration, we will explore the new Incident Manager features; its User Interface and available functions.
Security Operators are inundated with alerts from a variety of sources. These alerts are uncorroborated and require manual triage.
Threat Response mitigates these problems by providing a list or curated, triaged incidents where the important items “bubble up”
to user attention as a result of automated filtration. Eventually multiple products will feed alerts into Threat Response’s Incident
Manager; in this first version the Incidents are derived from Intrusion Events reported by Firepower Devices.
We start with an entry in the Incident List, explain how it came to be on that list, and then drill down into the details of that
Incident. From there we explore the information in the Incident Details entry for that Incident, mark it as “open”, and pivot to an
Investigation. During the course of that Investigation we take some snapshots and make a casebook, which we then assign to the
Incident. We end back at the Incident Details page, showing the linked casebook and snapshots.
This investigation starts with an alert about detected Command and Control (C&C) traffic. This is a high urgency alert because it
means that there is a successful infection already active inside our perimeter. This is a common scenario that SOC workers around
the world have to react to quickly and decisively, to contain the damage and prevent further spread while they investigate and
repair the systems already affected.
NOTE: Please note that you are operating a lived, shared system. If you expect a target or observable’s pivot menu to include
response actions such as block, add, or isolate and upon pivoting the options are unblock, remove, and de-isolate—this means
that another investigator has issued those commands to put the system in that state. Feel free to continue to show the API by
using available actions and explaining to your audience. Alternatively, you can run through the demo immediately or shortly
ahead of your demo time and un-block, un-isolate… all the items to prepare the demo session.
Rehearse and tailor the demo to your style of presentation. For feedback or questions, reach out to our internal mailer (for sales)
threat-response-pm@cisco.com or external mailer (for partners) threat-response-early@cisco.com.
Instant Demo Guide
Cisco dCloud
Preparation
 Review the Firepower FAQs and become familiar with our recently released Firepower integration.
 Tailor the demo to your style of presentation.
 Reach out to our internal mailer with questions: threat-response-pm@cisco.com.
 Learn about the capabilities of the browser extension by checking out the blog post authored by Ben Greenbaum
Setup – Browser Plug-In
If your browser already has the plug-in installed, you will need to obtain the API credentials from the dCloud environment and swap
them in. Your credentials will not work in the demo story and will significantly impact the quality and flow of the demo experience.
We recommend using a dedicated browser profile for demonstrations. This enables you to save the dCloud plug-in credentials and
your own credentials separately. You can switch to your instant demo profile at any time, rather than configuring and reconfiguring
the plug-in.
If you have already installed the browser plug-in in the browser profile in which you will run the demo using the dCloud account
credentials, you may move directly to the steps below.
Instant Demo Guide
Cisco dCloud
Steps: Explore Incident Manager
1. Click the Cisco Threat Response bowser tab.
Instant Demo Guide
Cisco dCloud
2. In the uppermost navigation bar, click Incidents.
3. Explain to the audience the significance of the incident list:
Value Proposition: These are events detected by on-premise devices and cloud services that Cisco and the user have determined
to be of highest importance.
As of CTR release v1.39, Firepower and Stealthwatch notable events are published to Incident Manager.
Stealthwatch alarms can be sent to Incident Manager from Stealthwatch Management console version 7.12 or higher.
Starting with Firepower 6.3, Intrusion Events are sent as Incident candidates to be potentially displayed in Incident Manager. As of
Firepower 6.5, Malware and Security Intelligence events are also supported event types. The dCloud demonstration script below
will focus on demonstrating a root cause investigation of an Intrusion event.
This determination is done via a variety of factors.
 Cisco-managed Automated promotion
o This is currently done via Talos Reputation lookups on the involved IP addresses.
o Future capabilities may include
 auto promotion of specific events or categories of events
 auto-promotion above an Urgency threshold, as rated in the IPS signature itself
 User controlled automated promotion
o The user can select IP subnets for which all alerts will be either promoted or ignored
o Future capabilities may include
 User selection of specific signatures or classes of signatures to promote or ignore
 User selection of specific IP:protocol:port combinations to promote or ignore
 User manual selection
o The User can select from the full list of reported Intrusion Events and promote events individually or as groups
Instant Demo Guide
Cisco dCloud
NOTE: The application will likely show a list with more or fewer incidents than this. They will be different, but this does not affect
the demo.
4. [Optional] Show the audience the information and capabilities present in this screen:
o Search box at the top
o Fields in the list: Title, Status, Confidence, Description, Source, and Modified date
o Modify the status of individual incidents
o Download incidents in JSON format
o Select multiple items for bulk operations
5. Find the most recent (topmost) incident with a Description of MALWARE CNC SIGNAL - OSINT - Callback Campaign 131.
You may need to use the search function to find it quickly.
Instant Demo Guide
Cisco dCloud
6. Click the Title of the Incident to load it in the Incident Viewer.
Instant Demo Guide
Cisco dCloud
7. In the Incident Viewer, show the audience the available features of this new UI page.
Value Proposition: They get immediate color-coded target and verdict information, as well as the reverse DNS information on any
external IP addresses. Note that this lookup was done by the Cisco Cloud, not by the Firepower device. Show how they get the full
pivot menu options on all observables in the incident.
8. Show in the upper metadata that the promotion reason was ipReputation. This tells us that the IP to which the detected C&C
connection was made, is known to TALOS to be a bad actor.
9. [Optional] Show the information lower in the page, including:
 Incident timeline (be sure to clarify that this is a timeline of the incident “ticket” and not a timeline of the events recorded
therein)
 Sightings list and how for each sighting the users gets
 Time elapsed since the observation
 Detailed description provided by the source, in this case the title, IPs, and exact date-stamp from the firepower device
 Confidence and Severity ratings
 More details from the source, such as protocol and ports, event type, so on, and so forth
 Sighting source’s reported resolution
 Sighting source’s name
 Link to the raw information from that source
Instant Demo Guide
Cisco dCloud
 Relations and targets in the sighting
10. Show the buttons at the top left of the page.
11. Describe that you can:
o Pivot straight into the Investigate UI
o Link a casebook to this incident
o Change the status of it from new to open to closed or back if needed
o Download the incident data in JSON format.
12. Click the Change Status button. If the status is New, change the status of the Incident to Open.
Instant Demo Guide
Cisco dCloud
Investigate
1. Click the Investigate button to pivot into the Investigate UI.
NOTE: Depending on your screen resolution and other options, your layout might be slightly different than the below.
Value Proposition: Immediately you see multiple targets - not only the internal machine whose traffic triggered the Firepower
event in the Incident Manager, but other devices as well.
Instant Demo Guide
Cisco dCloud
13. To learn more about the targeted workstations, click the arrow next to Targets.
Value Proposition: This information lets the investigator immediately know that they are impacted, as sightings from the modules
have been reported for the observables.
NOTE: The exact number and names of targets might be different than these images show. This will not impact the demo. As long
as there is at least one IP address, Umbrella target, and AMP target, the demo will work.
14. Click any result to be taken directly to that system in the Relations Graph.
Instant Demo Guide
Cisco dCloud
15. To see the relationship types between any icons in the Relations Graph, hover over either node in the relationship
16. To get more information about any node in the graph, click the triangle next to its icon to open a menu called the pivot men
Instant Demo Guide
Cisco dCloud
17. Each item with a blue magnifying glass icon is an Observable that was in the investigation. These are enumerated and listed at
the top of the screen or the Observables pane. Nodes without a magnifying glass are additional data points returned by the
enrichment process.
18. View each icon’s colored coding:
 Red items are malicious
 Orange items are suspicious
 Purple items are targets
 Grey are unknown at this time.
 Grey circle around an IP address indicates an RFC1918 or private IP address
19. View the Observables widget and if it is not already in “tile view”, use the dropdown at top right to change it.
20. Find the observable items that have had recent targets or sightings.
Instant Demo Guide
Cisco dCloud
21. To see more information, hover the mouse over an observable box.
22. To view all the known details about an observed item, click the item’s tile. This will switch you to List View, with the observable
you clicked on in focus.
NOTE: Click an item to see its position in the list (from the “List View”). You might need to scroll to the top of the list to see
relevant data.
23. If you didn’t already do this as part of Scenario 1, walk the audience through Judgements, Verdicts, Sightings and Indicators
 Judgments – opinions returned by Modules on an Observable
 Verdicts – the Judgment that Threat Response selected as the most valid at this time
 Sightings – instances of the observable having been spotted, usually in the user’s network but sometimes in the wild
 Indicators – additional context about the observable, for example IPS signatures or Threat Grid Behavior Indicators that it
triggered
Instant Demo Guide
Cisco dCloud
24. Note that in the Relations Graph (or Targets list), we could easily see that we have three or more targets. Looking closely at
those targets, we see the following:
 One target was the internal IP address first reported by our Firepower device.
 Another target was a Windows 10 machine named wkst1, using information from AMP for Endpoints which told us that
this target contacted the IP address.
 One or more target networks with an unknown operating system were reported from the Umbrella Reporting API which
told us that machines in that network contacted or attempted to contact the domain that was provided via the Incident
Manager enrichment.
 There may be additional IP address targets; if so, these are internal IP addresses seen communicating with our internal IP
address in a manner that generated IPS alerts from our Firepower devices.
Instant Demo Guide
Cisco dCloud
25. Click the icon for an unknown target we can see what information we already have on the system.
26. Let’s take a snapshot of this current state of the involved observables and link it to the Incident. Click Assign to Incident at the
top of the UI, and then click Assign next to your Incident in the list (your incident will be the top item named Intrusion event
1:1000001:1). You may have to search again for MALWARE CNC SIGNAL to find it.
27. When complete, click Close.
Instant Demo Guide
Cisco dCloud
28. Because we are investigating our internal IP, we have a busy graph. Let’s add the relevant items to a new casebook. From the
pivot menu for the external IP (31.210.117.131), select Add to New Case.
29. For each of the following, open the pivot menu and select Add to Current Case:
 Reverse DNS domain of the external IP (31-210-117-131.turkrdns.com)
 File hash that was returned by the enrichment process as having connected to the external IP
NOTE: If there are more than one, select 6cf7e427ab52ea95214cbd937a21cd8e8a4e80f1ef2c53cd8cb83c88a5436aee.
30. Open the Casebooks widget at bottom right and show the current case with these observables.
Instant Demo Guide
Cisco dCloud
31. Give the Casebook a unique name and descriptive note.
32. Click Investigate this case in the Casebooks widget.
 With the file(s) added to the investigation, you will see much more information.
 With the internal IP address removed from the investigation, you will only see it where it is relevant to this Incident.
33. Looking at the results, you see a large amount of new data. You get file paths, and filenames, reported by AMP. You also get
email data showing that this file was an attachment to at least one inbound email. We see several new target email addresses,
email subject lines, and the sender of the malicious email.
Value Proposition: This is all reported by the SMA/ESA module and shows that the file that contacted this known malicious IP as a
C&C connection was emailed into our environment.
Instant Demo Guide
Cisco dCloud
34. Note that the target count and target list in the top menu bar is updated as well.
NOTE: The exact numbers, names, and other details of targets may differ. As long as there are email addresses and the ESA AMP
Unity process is shown, all is well.
Instant Demo Guide
Cisco dCloud
Value Proposition: We can now see that this threat was emailed multiple times into our environment (as reported by our SMA/ESA
deployment), and executed at least once on one machine as recorded by AMP, where it called out to a C&C resource, a connection
that triggered an Intrusion Event alert on our Firepower device. We also know that Umbrella recorded two other devices requesting
an IP for the domain that was provided to us in the automatic Incident Enrichment process. We know all of this because Threat
Response tied together reports and results from AMP for Endpoints (including AMP Unity), Umbrella, a Cisco Email Security
Appliance, and Firepower. We’ll record these additional findings, but first let’s mitigate this threat with some immediate response
actions.
Blocking Threats
Because we are confident that our target endpoint is infected, we will use the AMP feature to isolate the host.
1. From the relations graph, click our target endpoint.
2. From the info window at the top left (NOT the context menu), click the arrow next to AMP Computer GUID,
and select Start Isolation.
2. From the Relations Graph or Observables pane, open the pivot menu for the domain that was contacted, and under the
Umbrella module heading click Block this domain.
Instant Demo Guide
Cisco dCloud
3. Select the unknown file that connected to the IP.
4. Under the AMP module heading, click Add SHA256 to custom detections […].
NOTE: There may be more than one of these options, as shown below. It doesn’t matter whether you pick one or show that you can
add to more than one.
NOTE: Other users may be logged into this demo at the same time, or another user may not have cleaned up the information
before logging off. If they have already blocked an item, you won’t see that option, but you will see the option to remove it from the
block list. Feel free to remove it and/or add it again.
Value Proposition: Explain that with AMP Unity, this block list we just put it on can also be enforced at Web, email, and network
gateways. Allowing them to block a file enterprise wide with two clicks.
Point out how quickly we just went from an Incident involving only two IP addresses and an Indicator, to a full view of the threat as
it traversed email, landed on the endpoint, called out to C&C over the network, and how we then took immediate response actions
to block further execution of the threat - in minutes.
Instant Demo Guide
Cisco dCloud
Record Keeping
1. With this new information, and with immediate first response actions taken, we should again document our findings.
Click Assign to Incident, and select Assign next to the Incident from which we started.
2. Click through the process until the popup disappears.
5. Go back to the Incident: Click Incidents in the top menu and select the same Incident from the list.
6. At the top of the resulting Incident Details view, click Link Casebook.
7. Use the Search functionality to find the Casebook you created, select it, and click Assign to add it to this Incident.
8. Scroll down and show that there are now (at least) your two snapshots and one casebook assigned to this Incident.
NOTE: Because this is a shared environment, there might be other casebooks and snapshots assigned to this incident. This
does not affect your demonstration. In fact, it is a feature that multiple SOC analysts can work an incident together and
each add relevant research results.
Instant Demo Guide
Cisco dCloud
Conclusion
The demonstration provided in Scenario 2 is a simple walkthrough of the Threat Response interface that shows how to investigate
an incident that Incident Manager has triaged for you. This demonstrates the power of Threat Response that is immediately
available to bring to bear on these investigations of high priority incidents from integrated Firepower devices. In this scenario, we
benefited from the built-in automated triage functions of Cisco’s cloud event promotion into the Incident Manager, enriched that
alert with internal context and telemetry from 5 or more integrated systems, and took the most critical immediate response actions
from within the same interface across multiple control systems. All in one interface in a minimum amount of time. This is the power
of Cisco’s integrated security architecture.
What’s Next?
Learn more about Cisco Threat Response at our website or explore other demonstrations on dCloud.

Cisco Threat Response v1.21 - Instant Demo: About This Demonstration

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cisco Threat Response v1.21 - Instant Demo: About This Demonstration

Hochgeladen von

Copyright:

Verfügbare Formate

Instant Demo Guide

Cisco Threat Response v1.21 – Instant Demo

Last Updated: 12-March-2020

About This Demonstration

About This Demonstration

About This Solution

For More Information

Using the Browser Plugin from a Talos blog article

Explore Incident Manager

About This Solution

For More Information

Follow the steps to prepare and configure your presentation environment.

1. Use Chrome or Firefox to log in to dCloud.

3. In the Search of Filter field, enter Cisco Threat Response v1.2.

4. Five demonstrations display:

 Cisco Threat Response v1.2 - AMP for Endpoints - Instant Demo

 Cisco Threat Response v1.2 - Instant Demo

 Cisco Threat Response v1.2 - Email Security - Instant Demo

 Cisco Threat Response v1.2 - Threat Grid - Instant Demo

 Cisco Threat Response v1.2 - Umbrella - Instant Demo

7. In the Threat Response window, select Log in with Cisco Security.

Using the Browser Plugin from a Talos blog article

 Cisco Threat Response APIs

 Cisco AMP for Endpoints

 Cisco Email Security

 Cisco Threat Grid

 Cisco Web Security

 Tailor the demo to your style of presentation.

 Reach out with your feedback and/or questions: threat-response-pm@cisco.com.

Setup – Browser Plug-In

Get API keys from Threat Response

4. Save your client ID and password.

5. Install extensions, depending on your browser of choice.

6. Download the CTR Extension:

8. Click the Cisco Threat Response bowser tab.

 Domain Block: (click on the pivot arrow next to any domain)

NOTE: Click Investigate to launch an investigation in the Threat Response interface.

20. Scroll down to the relation graph and click Simplify.

26. Add this hash to the investigation: (8ec4b6188a91ad6828e883ed3be9fa5f461d38fcf896f4641833965d1b8b968b)

27. Review the results of adding the file to the investigation.

SWE Pivot: Optional

40. Click Investigate this IP Address.

 Answer questions faster about observables.

 Save a point in time snapshot of our investigations for further analysis.

Explore Incident Manager

 Tailor the demo to your style of presentation.

 Reach out to our internal mailer with questions: threat-response-pm@cisco.com.

Setup – Browser Plug-In

Steps: Explore Incident Manager

1. Click the Cisco Threat Response bowser tab.

2. In the uppermost navigation bar, click Incidents.

3. Explain to the audience the significance of the incident list:

This determination is done via a variety of factors.

 Cisco-managed Automated promotion

o Future capabilities may include

 auto promotion of specific events or categories of events

 auto-promotion above an Urgency threshold, as rated in the IPS signature itself

 User controlled automated promotion

o Future capabilities may include

 User selection of specific signatures or classes of signatures to promote or ignore

 User selection of specific IP:protocol:port combinations to promote or ignore

 User manual selection

o Search box at the top